CVE-2026-40878
Cross-Site Scripting in mailcow Web Interface via Unsafe Twig Rendering
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mailcow | mailcow_dockerized | to 2026-03b (exc) |
| mailcow | dockerized | to 2026-03b (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40878 is a low-severity reflected parameter injection and wrong-context Cross-Site Scripting (XSS) vulnerability in the mailcow-dockerized login page versions prior to 2026-03b.
The vulnerability occurs because the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` value directly to Twig templates as a global variable and renders it inside a JavaScript string literal within the `setLang()` helper function in `base.twig`. This rendering relies on Twig's default HTML auto-escaping rather than the appropriate JavaScript escaping, allowing attacker-controlled input to be reflected unsafely.
Additionally, the `query_string()` Twig helper merges all current `$_GET` parameters into language-switching links on the login page, causing attacker-supplied parameters to be reflected and persist across navigation.
An attacker can craft malicious URLs that inject parameters into both the JavaScript context and language-switching links, enabling phishing attacks targeting users who click such links.
Direct script execution is usually blocked by Twig's HTML escaping of characters like `'`, `<`, `>`, and `&`, but the backslash (`\`) character is not escaped. In some environments, this can break JavaScript functionality on the login page, disabling features like FIDO2/WebAuthn login, CSRF token injection, and dark-mode toggle.
The vulnerability requires no privileges or authentication but does require user interaction (clicking a crafted link). It was fixed in version 2026-03b by applying proper JavaScript escaping, sanitizing the URI variable, and restricting allowed query parameters.
How can this vulnerability impact me? :
This vulnerability can impact you by enabling attackers to perform high-credibility phishing attacks through crafted URLs that inject malicious parameters into the login page.
It can also disrupt critical login page JavaScript functionality, such as FIDO2/WebAuthn login handlers, CSRF token injection, and user interface features like the dark-mode toggle, potentially degrading user experience and security.
Since the vulnerability requires no privileges or authentication, any user clicking a maliciously crafted link could be affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your mailcow-dockerized installation is running a version prior to 2026-03b, as those versions are affected.
You can also detect attempts to exploit this vulnerability by monitoring HTTP requests to the mailcow login page that contain suspicious or crafted query parameters, such as unusual GET parameters that might inject scripts or backslashes in the URL.
Suggested commands to help detect the vulnerability or exploitation attempts include:
- Check the installed mailcow version by inspecting the docker container tags or mailcow version files.
- Use web server access logs to search for suspicious requests with crafted query strings, for example:
- grep -iE 'session_expired|redirect|\\' /var/log/nginx/access.log
- Monitor for URLs containing backslashes or unusual parameters that might break JavaScript escaping.
- Use network monitoring tools or intrusion detection systems to alert on suspicious URL patterns targeting the login page.
What immediate steps should I take to mitigate this vulnerability?
The only effective mitigation for this vulnerability is to upgrade mailcow-dockerized to version 2026-03b or later, where the issue is fixed.
The fix includes proper JavaScript context escaping of the URI variable, sanitization of the global URI variable to allow only safe paths and whitelisted query parameters, and restricting the query_string helper to an allow-list of known parameters.
No workarounds exist, so upgrading promptly is critical to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in mailcow-dockerized allows attacker-supplied parameters to be reflected and preserved across navigation on the login page, enabling high-credibility phishing attacks targeting users who click crafted links.
Such phishing attacks could potentially lead to unauthorized access or disclosure of personal or sensitive information, which may impact compliance with standards and regulations like GDPR or HIPAA that require protection of user data and prevention of unauthorized access.
However, the vulnerability itself is rated as low severity with low impacts on confidentiality, integrity, and availability, and requires user interaction.
No direct mention is made about specific compliance violations, but the risk of phishing and potential data exposure could indirectly affect compliance with data protection regulations.